Splunk Search

Remove events from search that match comma-separated text input

noahdietrich
Explorer

Running Splunk Enterprise 7.3
I am using a text input box to get a list of values from the user to exclude from my search.
For example, in my search the user will supply in the text box the following string: smithJA, JohnsonXL, and I will then remove any entries from my results where the field Account_Name matches either of those names.

I can make this work where return values for only those names, but i cannot do the opposite, where i remove events from the results where the name matches any of the listed names.

here is the XML that i am working with (only returns events that return results where Account_Name matches any of the values given):

<form>
  <label>asdf</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="text" token="txt_ignore_usernames" searchWhenChanged="true">
        <label>field2</label>
      </input>
      <input type="time" token="time_1" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <title>Logons</title>
        <search>
          <query>index=MyIndexName 
| search Account_Name IN ($txt_ignore_usernames$)
| table _time host name Account_Name</query>
          <earliest>$time_1.earliest$</earliest>
          <latest>$time_1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

I tried modifying the search as follows with no luck:

  index=MyIndexName 
 | search NOT [search Account_Name IN ($txt_ignore_usernames$)]
 | table _time host name Account_Name</query>

Anyone have any ideas?
Thanks

0 Karma
1 Solution

VatsalJagani
Super Champion

@noahdietrich,

Please try this search.

index=MyIndexName 
| search NOT Account_Name IN ($txt_ignore_usernames$)
| table _time host name Account_Name

View solution in original post

0 Karma

VatsalJagani
Super Champion

@noahdietrich,

Please try this search.

index=MyIndexName 
| search NOT Account_Name IN ($txt_ignore_usernames$)
| table _time host name Account_Name
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All | Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...